search

jtblin / kube2iam

kube2iam provides different AWS IAM roles for pods running on Kubernetes
BSD 3-Clause "New" or "Revised" License
1.97k stars 318 forks source link

Openssl vulnerability (CVE-2020-1967) in latest version (0.10.11) #285

Closed lululu0620 closed 3 years ago

lululu0620 commented 3 years ago

We found a vulnerability (CVE-2020-1967) of openssl as the following picture shown: Screen Shot 2020-11-04 at 12 07 32 PM

This issue will be fixed in version 1.1.1g of openssl while currently we use version 1.1.1d, which comes from golang:1.14.0.

The fix could either be adding an openssl upgrade command in kube2iam Dockerfile like the following, or waiting for the Golang image to upgrade the openssl version.

RUN apk upgrade --update-cache --available && \
    apk add openssl && \
    rm -rf /var/cache/apk/*

Upgrading in kube2iam Dockerfile will be a more efficient way to solve this issue since Golang did not upgrade version of openssl even for their latest version.

lululu0620 commented 3 years ago

It was fixed in version: kube2iam-2.5.2